Security researchers recorded a 67 percent year-on-year increase in malware targeting Android devices between June 2024 and May 2025, and identified 239 malicious applications, which evaded Google Play's security filters and were downloaded 42 million times.
Many of these were productivity and workflow tools in the "Tools" category, taking advantage of users' trust in functional apps and their desire to support remote work.
The manufacturing and energy sectors experienced the highest volume of mobile-focused attacks, with the energy sector seeing a 387 percent annual jump in mobile threats. India, the United States, and Canada generated most malicious mobile traffic, accounting for 26 percent, 15 percent, and 14 percent of observed traffic respectively. India's mobile threat volume rose 38 percent year on year.
For internet of things (IoT) threats, 40 percent of blocked requests were associated with the Mirai malware family and 35 percent with the Gafgyt variant.
Manufacturing and transportation were the most frequently targeted industries for IoT attacks, each responsible for about one-fifth of observed incidents, a change from the prior year when manufacturing alone accounted for 36 percent and transportation 14 percent.
The United States was the top geographic target for IoT attacks with 54 percent of all observed activity, followed by Hong Kong at 15 percent, Germany at six percent, India at five percent, and China at four percent.
Google stated that its Google Play Protect safeguards were already blocking the identified malware variants before the report period ended and that, based on its current detections, no apps containing those malware versions remain available on Google Play. Improvements to user protections continue.
Source: https://www.infosecurity-magazine.com/news/apps-download-41-million-times/
Commentary
In the above matter, online criminals were targeting business applications.
Online criminals increasingly target business applications, especially tools and productivity apps, because they combine high user trust, extensive permissions, and direct access to valuable data and systems.
Employees rely on these apps to keep hybrid and remote work moving, so they routinely grant them network access, file access, and notification privileges with minimal scrutiny. This creates an ideal delivery mechanism for malware and credential theft.
Threat actors also know that organizations often fast-track tool adoption to support workflows, which can outpace security review and patching. Fast-tracking can also leave configuration gaps and unmonitored integrations that criminals can quietly exploit.
Once a malicious or compromised tool is installed, attackers can harvest login credentials, session cookies, and multi-factor tokens. This gives them the ability to move laterally into cloud services, advertising platforms, and financial applications while appearing as legitimate users.
Campaigns impersonating popular productivity, VPN, editing, and messaging tools further increase the odds of success. This is because victims believe they are downloading familiar brands that will improve efficiency or connectivity.
For criminal groups, these factors translate into an attractive return on investment. A single widely used tool can deliver millions of installs, as seen in recent incidents where hundreds of malicious Android apps in the Tools category were downloaded more than 40 million times globally.
The final takeaway is that the combination of scale, embedded trust, and common business access explains why productivity and workflow tools remain a preferred vector for infiltrating enterprise environments. Criminals monetize attacks through data theft, extortion, and unauthorized use of business accounts.
